Posted
May 1, 2006
 | By

The insider - a threat to data security

Deliberate or accidental, damage caused by the misuse of portable media devices in the workplace is emerging as a key data security issue for IT managers. The havoc that can be wreaked is not only catastrophic for business, but may leave companies and their directors legally exposed for violating privacy laws or contravening corporate governance obligations. The good news is that the risk is incredibly simple to eliminate. Howard Waterson explains how to secure an organisation against any misuse of these tiny gadgets.

The uncontrolled use of portable media devices on the corporate network is creating a major security loophole that many organisations are now recognising as a real threat to the integrity and security of their digital assets. Most security solutions focus on blocking the corporate network from the dangers of hackers, viruses, trojans and so on. However, this approach fails to cover the equally serious threat of 'The Insider'.

The insider risk to business is two-fold. Proprietary data or company secrets might simply walk out the door on an iPod or USB thumb drive. Equally of risk, the act of recklessly connecting such devices to a company network dramatically increases a business' exposure to harmful computer viruses and other types of malware.

To confidently address this latest security threat requires a two-phase approach. First, develop and implement an acceptable use policy (AUP). Then, enforce the policy by deploying a suitable endpoint security device.

Apart from being a logical starting point, having an AUP for portable media devices is a matter of sound corporate governance. Organisations need to protect their own interests (as well as those of shareholders, customers and employees) against the inappropriate use of corporate assets, especially in the areas of information technology. As such, businesses need to set, communicate and enforce policies on the acceptable use of these assets and the information they access.

An AUP is a common method for setting clear boundaries between employer and employee on what is permissible and what is not in the corporate IT environment. In an increasingly litigious world governed by strict privacy laws and regulatory authorities, an AUP plays an important role in risk management.

Having an AUP in place not only helps address compliance, but it is also an effective means of reducing the risk of vicarious liability arising from employee actions. However, as everyone knows, policies are only worthwhile if they are successfully enforced.

The following 10 steps are designed to help organisations institute an effective AUP for portable media devices and understand the technology required to support policy enforcement.

1. Assess your endpoint security risks

Knowing where and how many points of access for portable media devices exist in your office is critical to controlling them - you can't manage what you can't see. If you're not convinced that these tiny gadgets pose a serious risk, then consider this. A 20 GB MP3 player can hold more than 750,000 documents.

When choosing an endpoint security solution, you will notice that some vendors include free trial auditing software that can help determine the extent of your risk before you buy. Give it a try, you may be shocked at what you find.

2. Determine the scope of the problem

How many employees use portable media devices at work? How often do they connect those devices to the network? Conduct an anonymous employee survey to gauge the problem.

3. Assess departmental needs and legitimate device usage

For some employees, portable media devices are essential to their productivity. However, not everyone falls into this category. Liaise with heads of departments to ascertain which staff 'must have' access via portable devices. Determining what constitutes necessary departmental needs will help you control network access and mitigate risk without significantly impacting productivity.

A good way to start shaping your policy is to create a 'white list' grid of permissible actions. On the left, list all employee groups (eg, field sales, marketing, department managers) and across the top, list all portable device options (eg, USB sticks, PDA synch, burn CDs). The default 'listing' against each employee group should be 'No' to block all transactions. Exceptions, marked 'Yes', will accommodate legitimate actions by authorised staff.

4. Draft an AUP

Draft a comprehensive paper-based AUP as the foundation for device usage at work. Organisations should consider:

  • Prohibiting the use of portable data storage media and devices except with specific authority.
  • Prohibiting the use of USB ports on a computer without specific authority.
  • Prohibiting MP3 players being connected to PCs.
  • Restricting connection of personal PDAs to company-owned PCs.
  • Prohibiting the connection of mobile phones and cameras.
  • Controlling connection of non-company PCs to the corporate network.
  • Improved security vetting before access to a network is given to new or temporary staff.
  • Limiting the capacity of data storage devices issued by the organisation.
  • Amend definitions of 'misconduct' within appropriate HR policies to reflect the new issues facing organisations as a result of these portable devices.

Any policy issued by an organisation should be compatible with prevailing applicable laws, regulatory requirements and best practice. As such, research is a vital stage in the preparation of policy and it may be worth investing in third-party professionals to help set the parameters for what should and should not be in a policy.

The requirements of the organisaton itself will also have to be considered and will usually be easy to establish. The final decision as to what goes into a policy is a matter of commercial judgement.

5. Enforce the AUP

An AUP may dictate how some employees use portable media devices. However, without electronic enforcement of these written policies, others are at liberty to accidentally or intentionally break rules without anyone noticing. Be sure to back up your comprehensive paper-based policy with an appropriate endpoint security device.

6. Evaluate your options

While complete PC lockdown is a common method for protecting against USB security breaches, companies must be aware that blanket restrictions of a user's access rights will dramatically impact productivity. Supporting an organisation's security policy while simultaneously enabling it to continue working productively will require a network-wide solution that supports 'permissible' use of media devices, but blocks unauthorised connections.

Worth noting is that device management products that do not protect against the use of Wi-Fi, Bluetooth and infrared ports do not fully protect an organisation from data theft.

For example, many mobile phones now feature contact and diary applications that can be synchronised with their PC counterparts. A growing number of these also support other file formats, which make them a perfect 'undercover' storage medium for those wishing to avoid suspicion. The same device that can be used to synchronise diaries for field staff is also capable of copying and storing corporate databases such as prospects, client information or employee personal data in a matter of seconds.

Also, with many Notebooks now featuring Bluetooth, IRDA and Wi-Fi connectors as standard, data transfer has never been so easy.

Finally, new device breeds, such as USB drives that disguise themselves as CDs, can 'spoof' security products and bypass USB removable lockdown commands. Make sure the solution you select can combat the latest threats.

Keep in mind that ease of use, flexibility and manageability are key features for any security product. Look for products with easy-to-use auditing and reporting capabilities that can continually assess the state of your network and help you modify policy as needed.

7. Deploy your solution

Another consideration when comparing available endpoint security solutions is deployment. Look for a solution that can be deployed by a single administrator from a central server to the entire or global network. Preferably this should be done without the need of a third-party tool.

8. Educate staff during deployment

Don't leave staff in the dark. Communicate that security software has been deployed to help enforce the AUP that has been established. An educational campaign consisting of a company-wide email would be a quick way to communicate an addendum to existing user policy. Many products have educational tools as standard to help this process.

9. Assign individual device access rights

Today's most comprehensive solutions will allow organisations to manage devices at a granular level. Make sure employees can use the devices they legitimately rely on every day and that the solution you select allows different access rights for different employees.

To help manage the task of assigning access, define access control by user groups, business units or individual employees. For organisations that have already made the investment in Active Directory, look for a solution that can reflect the user groups already established. This will make it easy to grant the appropriate permission to your pre-configured groups of employees.

Flexibility is another requirement. The systems administrator needs to be able to respond quickly to changing business needs and support authorised access where temporary policy overrides standard access policy.

10. Continue to manage risk

Choose a credible vendor who can protect against new portable media devices that come to market, so you are always secure. In addition, continue to audit your network regularly to identify evolving threats and shifts in device usage.



© 2008 Westwick-Farrow Pty Ltd. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this web site constitutes acceptance of our Terms and Conditions and Privacy Policy.

Get your FREE membership today - CLICK HERE  |  Log-in